@eventuras/fides-auth 0.3.0

package/dist/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Fides Auth - OAuth/OIDC Authentication Library
+ *
+ * Generic authentication utilities with support for multiple providers.
+ */
+export * from './logger';
+export * from './session-refresh';
+export * from './session-validation';
+export * from './utils';
+export * from './types';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,UAAU,CAAC;AACzB,cAAc,mBAAmB,CAAC;AAClC,cAAc,sBAAsB,CAAC;AACrC,cAAc,SAAS,CAAC;AACxB,cAAc,SAAS,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+import { configureLogger as e, createLogger as t } from "./logger.js";
+import { a as n, c as r, d as i, i as a, l as o, n as s, o as c, r as l, s as u, t as d, u as f } from "./utils-ByMRF7b2.js";
+import { n as p, t as m } from "./session-validation-BxObT3wC.js";
+import { refreshSession as h } from "./session-refresh.js";
+import "./types.js";
+export { d as accessTokenExpires, e as configureLogger, s as createEncryptedJWT, t as createLogger, l as decrypt, a as encrypt, n as generateToken, c as getSessionSecret, u as getSessionSecretUint8Array, r as hexToUint8Array, m as isSession, h as refreshSession, o as sha256, f as sha512, i as toHex, p as validateSessionJwt };

package/dist/logger.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Pluggable logger for fides-auth.
+ *
+ * By default, uses a console-based logger. Users can provide their own
+ * implementation (pino, winston, etc.) via `configureLogger()`.
+ *
+ * @example
+ * // Use default console logger (no setup needed)
+ * import { createLogger } from '@eventuras/fides-auth/logger';
+ * const logger = createLogger({ namespace: 'my-app:auth' });
+ * logger.info('Authentication successful');
+ *
+ * @example
+ * // Plug in pino
+ * import pino from 'pino';
+ * import { configureLogger } from '@eventuras/fides-auth/logger';
+ *
+ * const pinoInstance = pino();
+ * configureLogger({
+ *   create({ namespace, context }) {
+ *     return pinoInstance.child({ namespace, ...context });
+ *   },
+ * });
+ *
+ * @example
+ * // Plug in @eventuras/logger
+ * import { Logger } from '@eventuras/logger';
+ * import { configureLogger } from '@eventuras/fides-auth/logger';
+ *
+ * configureLogger({
+ *   create(options) {
+ *     return Logger.create(options);
+ *   },
+ * });
+ */
+/**
+ * Logger interface compatible with pino, winston, and console.
+ *
+ * All methods accept either:
+ * - A string message: `logger.info('hello')`
+ * - A context object and message: `logger.info({ userId: 123 }, 'User logged in')`
+ */
+export interface FidesLogger {
+    debug(data?: Record<string, unknown> | string, msg?: string): void;
+    info(data?: Record<string, unknown> | string, msg?: string): void;
+    warn(data?: Record<string, unknown> | string, msg?: string): void;
+    error(data?: Record<string, unknown> | string, msg?: string): void;
+}
+/** Options for creating a logger instance. */
+export interface FidesLoggerOptions {
+    /** Namespace for log filtering (e.g., 'fides-auth:oauth') */
+    namespace: string;
+    /** Persistent context fields included in every log entry */
+    context?: Record<string, unknown>;
+}
+/** Factory that creates logger instances. Implement this to integrate your preferred logger. */
+export interface FidesLoggerFactory {
+    create(options: FidesLoggerOptions): FidesLogger;
+}
+/**
+ * Configure a custom logger factory for fides-auth.
+ *
+ * Can be called at any time — even after modules have already created loggers.
+ * Existing loggers will pick up the new factory on their next log call.
+ *
+ * If not called, fides-auth uses a console-based logger.
+ *
+ * @param factory - A factory that creates logger instances
+ */
+export declare function configureLogger(factory: FidesLoggerFactory): void;
+/**
+ * Create a logger instance using the configured factory.
+ *
+ * Returns a lazy proxy: the underlying logger is created (or re-created)
+ * on first use and whenever the factory is changed via `configureLogger()`.
+ * This means module-scope loggers work correctly even when `configureLogger()`
+ * is called after module imports.
+ *
+ * @param options - Logger options including namespace and optional context
+ * @returns A logger instance
+ */
+export declare function createLogger(options: FidesLoggerOptions): FidesLogger;
+//# sourceMappingURL=logger.d.ts.map

package/dist/logger.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"logger.d.ts","sourceRoot":"","sources":["../src/logger.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAEH;;;;;;GAMG;AACH,MAAM,WAAW,WAAW;IAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnE,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClE,IAAI,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClE,KAAK,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,EAAE,GAAG,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACpE;AAED,8CAA8C;AAC9C,MAAM,WAAW,kBAAkB;IACjC,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACnC;AAED,gGAAgG;AAChG,MAAM,WAAW,kBAAkB;IACjC,MAAM,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CAAC;CAClD;AAkED;;;;;;;;;GASG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,kBAAkB,GAAG,IAAI,CAGjE;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,YAAY,CAAC,OAAO,EAAE,kBAAkB,GAAG,WAAW,CAkBrE"}

package/dist/logger.js

@@ -0,0 +1,46 @@
+//#region src/logger.ts
+var e = class {
+	prefix;
+	constructor(e, t) {
+		this.prefix = `[${e}]${t && Object.keys(t).length > 0 ? ` ${JSON.stringify(t)}` : ""}`;
+	}
+	debug(e, t) {
+		typeof e == "string" ? console.debug(this.prefix, e) : t ? console.debug(this.prefix, t, e) : e && console.debug(this.prefix, e);
+	}
+	info(e, t) {
+		typeof e == "string" ? console.info(this.prefix, e) : t ? console.info(this.prefix, t, e) : e && console.info(this.prefix, e);
+	}
+	warn(e, t) {
+		typeof e == "string" ? console.warn(this.prefix, e) : t ? console.warn(this.prefix, t, e) : e && console.warn(this.prefix, e);
+	}
+	error(e, t) {
+		typeof e == "string" ? console.error(this.prefix, e) : t ? console.error(this.prefix, t, e) : e && console.error(this.prefix, e);
+	}
+}, t = { create({ namespace: t, context: n }) {
+	return new e(t, n);
+} }, n = 0;
+function r(e) {
+	t = e, n++;
+}
+function i(e) {
+	let r = null, i = -1;
+	function a() {
+		return (r === null || i !== n) && (r = t.create(e), i = n), r;
+	}
+	return {
+		debug(e, t) {
+			a().debug(e, t);
+		},
+		info(e, t) {
+			a().info(e, t);
+		},
+		warn(e, t) {
+			a().warn(e, t);
+		},
+		error(e, t) {
+			a().error(e, t);
+		}
+	};
+}
+//#endregion
+export { r as configureLogger, i as createLogger };

package/dist/oauth-browser.d.ts

@@ -0,0 +1,62 @@
+/**
+ * Browser-compatible OAuth 2.0 + PKCE helpers
+ *
+ * This module provides OAuth 2.0 helpers that work in browser environments.
+ * Unlike `oauth.ts` which uses openid-client (Node.js only), this uses
+ * browser-native Web Crypto API for PKCE generation.
+ *
+ * **Use this in:**
+ * - Vite/React SPAs
+ * - Browser-only applications
+ * - Any frontend that can't use Node.js APIs
+ *
+ * **Usage:**
+ * ```typescript
+ * import { generatePKCE, buildAuthorizationUrl, exchangeCodeForTokens }
+ *   from '@eventuras/fides-auth/oauth-browser';
+ *
+ * // 1. Start OAuth flow
+ * const pkce = await generatePKCE();
+ * sessionStorage.setItem('code_verifier', pkce.code_verifier);
+ * sessionStorage.setItem('state', pkce.state);
+ *
+ * const authUrl = buildAuthorizationUrl(config, pkce);
+ * window.location.href = authUrl;
+ *
+ * // 2. Handle callback
+ * const code = new URLSearchParams(window.location.search).get('code');
+ * const verifier = sessionStorage.getItem('code_verifier');
+ * const tokens = await exchangeCodeForTokens(config, code, verifier);
+ * ```
+ */
+/** Configuration for browser-side OAuth / OIDC flows (no client secret). */
+export interface OAuthConfig {
+    issuer: string;
+    clientId: string;
+    redirect_uri: string;
+    scope: string;
+}
+/** PKCE parameters for a browser-initiated authorization request. */
+export interface PKCEParams {
+    code_verifier: string;
+    code_challenge: string;
+    state: string;
+}
+/**
+ * Generate PKCE parameters for OAuth flow
+ */
+export declare function generatePKCE(): Promise<PKCEParams>;
+/**
+ * Build authorization URL for OAuth flow
+ */
+export declare function buildAuthorizationUrl(config: OAuthConfig, pkce: PKCEParams): string;
+/**
+ * Exchange authorization code for tokens
+ */
+export declare function exchangeCodeForTokens(config: OAuthConfig, code: string, codeVerifier: string): Promise<{
+    access_token: string;
+    id_token: string;
+    refresh_token?: string;
+    expires_in: number;
+}>;
+//# sourceMappingURL=oauth-browser.d.ts.map

package/dist/oauth-browser.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth-browser.d.ts","sourceRoot":"","sources":["../src/oauth-browser.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,4EAA4E;AAC5E,MAAM,WAAW,WAAW;IAC1B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qEAAqE;AACrE,MAAM,WAAW,UAAU;IACzB,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;CACf;AA+BD;;GAEG;AACH,wBAAsB,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC,CAUxD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,UAAU,GACf,MAAM,CAYR;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,WAAW,EACnB,IAAI,EAAE,MAAM,EACZ,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC;IACT,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC,CAqBD"}

package/dist/oauth-browser.js

@@ -0,0 +1,49 @@
+//#region src/oauth-browser.ts
+function e(e) {
+	let t = new Uint8Array(e);
+	return crypto.getRandomValues(t), Array.from(t).map((e) => "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~"[e % 66]).join("");
+}
+async function t(e) {
+	let t = new TextEncoder().encode(e), n = await crypto.subtle.digest("SHA-256", t);
+	return btoa(String.fromCharCode(...new Uint8Array(n))).replaceAll("+", "-").replaceAll("/", "_").replace(/=+$/, "");
+}
+async function n() {
+	let n = e(128);
+	return {
+		code_verifier: n,
+		code_challenge: await t(n),
+		state: e(32)
+	};
+}
+function r(e, t) {
+	let n = new URLSearchParams({
+		client_id: e.clientId,
+		redirect_uri: e.redirect_uri,
+		response_type: "code",
+		scope: e.scope,
+		state: t.state,
+		code_challenge: t.code_challenge,
+		code_challenge_method: "S256"
+	});
+	return `${e.issuer}/auth?${n.toString()}`;
+}
+async function i(e, t, n) {
+	let r = await fetch(`${e.issuer}/token`, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			code: t,
+			redirect_uri: e.redirect_uri,
+			client_id: e.clientId,
+			code_verifier: n
+		})
+	});
+	if (!r.ok) {
+		let e = await r.text();
+		throw Error(`Token exchange failed: ${r.status} - ${e}`);
+	}
+	return r.json();
+}
+//#endregion
+export { r as buildAuthorizationUrl, i as exchangeCodeForTokens, n as generatePKCE };

package/dist/oauth.d.ts

@@ -0,0 +1,145 @@
+import { Session } from './types';
+import * as openid from 'openid-client';
+export type { Configuration, TokenEndpointResponse } from 'openid-client';
+/** Default OIDC scope requesting user identity, profile, email, and offline access. */
+export declare const defaultScope = "openid profile email offline_access";
+/** Configuration for server-side OAuth / OIDC flows. */
+export type OAuthConfig = {
+    issuer: string;
+    clientId: string;
+    clientSecret: string;
+    redirect_uri: string;
+    scope: string;
+};
+/**
+ * Refreshes an access token using a refresh token grant.
+ *
+ * @param oAuthConfig - OAuth configuration for the identity provider
+ * @param refreshToken - The refresh token to exchange
+ * @returns Token endpoint response containing new access and refresh tokens
+ */
+export declare function refreshAccessToken(oAuthConfig: OAuthConfig, refreshToken: string): Promise<openid.TokenEndpointResponse>;
+/** PKCE parameters generated for an authorization request. */
+export interface PKCEOptions {
+    code_verifier: string;
+    code_challenge: string;
+    state: string;
+    parameters: Record<string, string>;
+}
+/**
+ * Creates PKCE parameters for an OAuth flow.
+ *
+ * @param config - OAuthConfig configuration including the redirect URI and scope.
+ * @returns A promise that resolves to an object containing:
+ *  - code_verifier: The randomly generated PKCE code verifier.
+ *  - code_challenge: The derived PKCE code challenge.
+ *  - state: A random state to protect against CSRF.
+ *  - parameters: A Record<string,string> with the assembled parameters.
+ */
+export declare function buildPKCEOptions(config: OAuthConfig): Promise<PKCEOptions>;
+/**
+ * Builds an authorization URL with PKCE parameters.
+ *
+ * @param config - Discovered OpenID Configuration (use openid.discovery() to obtain)
+ * @param pkceOptions - The PKCE options (e.g., code challenge, state, parameters)
+ * @returns A Promise that resolves to the authorization URL
+ */
+export declare function buildAuthorizationUrl(config: openid.Configuration, pkceOptions: PKCEOptions): Promise<URL>;
+/**
+ * Convenience function to discover OpenID configuration and build authorization URL.
+ * This combines discovery + buildAuthorizationUrl in one call.
+ *
+ * @param oauthConfig - Your OAuth configuration
+ * @param pkceOptions - The PKCE options (e.g., code challenge, state, parameters)
+ * @returns A Promise that resolves to the authorization URL
+ */
+export declare function discoverAndBuildAuthorizationUrl(oauthConfig: OAuthConfig, pkceOptions: PKCEOptions): Promise<URL>;
+/**
+ * Configuration for OAuth client credentials flow (machine-to-machine authentication)
+ */
+export type ClientCredentialsConfig = {
+    /** OAuth token endpoint URL */
+    tokenEndpoint: string;
+    /** OAuth client ID */
+    clientId: string;
+    /** OAuth client secret */
+    clientSecret: string;
+    /** Optional scope for the access token */
+    scope?: string;
+};
+/**
+ * Exchanges an authorization code for tokens using OIDC discovery and PKCE.
+ *
+ * @param oauthConfig - OAuth configuration
+ * @param callbackUrl - The full callback URL with query parameters from the OIDC provider
+ * @param codeVerifier - The PKCE code verifier stored during login initiation
+ * @param expectedState - The state parameter stored during login initiation
+ * @returns Token response from the OIDC provider
+ */
+export declare function exchangeAuthorizationCode(oauthConfig: OAuthConfig, callbackUrl: URL, codeVerifier: string, expectedState: string): Promise<openid.TokenEndpointResponse>;
+/**
+ * Result of extracting user information from an OIDC token response.
+ */
+export interface OidcUserInfo {
+    sub: string;
+    name: string;
+    email: string;
+    roles: string[];
+}
+/**
+ * Extracts user information from an OIDC token response.
+ * Decodes the ID token and extracts standard claims plus roles from a configurable claim.
+ *
+ * @param tokens - Token response from the OIDC provider
+ * @param rolesClaim - Name of the claim containing user roles (default: 'roles')
+ * @returns Extracted user information
+ */
+export declare function extractUserFromTokens(tokens: openid.TokenEndpointResponse, rolesClaim?: string): OidcUserInfo;
+/**
+ * Builds a Session object from an OIDC token response.
+ * Maps provider tokens and user claims into the internal Session format.
+ *
+ * @param tokens - Token response from the OIDC provider
+ * @param rolesClaim - Name of the claim containing user roles (default: 'roles')
+ * @returns A Session object ready to be encrypted and stored
+ */
+export declare function buildSessionFromTokens(tokens: openid.TokenEndpointResponse, rolesClaim?: string): Session;
+/**
+ * Validates a return URL against open redirect attacks.
+ * Ensures the URL is same-origin and passes optional custom validation.
+ *
+ * @param returnTo - The raw returnTo path/URL to validate
+ * @param applicationOrigin - The application's origin URL (e.g., 'https://example.com')
+ * @param defaultPath - Fallback path if validation fails (default: '/')
+ * @param validate - Optional custom validation function for the pathname
+ * @returns A safe, validated URL
+ */
+export declare function validateReturnUrl(returnTo: string | null | undefined, applicationOrigin: string, defaultPath?: string, validate?: (pathname: string) => boolean): URL;
+/**
+ * Discovers the OIDC provider's end_session_endpoint and builds a logout URL.
+ * Returns null if the provider doesn't expose an end_session_endpoint.
+ *
+ * @param oauthConfig - OAuth configuration (issuer, clientId, clientSecret)
+ * @param postLogoutRedirectUri - URL to redirect to after provider logout
+ * @returns Logout URL or null if not supported
+ */
+export declare function buildOidcLogoutUrl(oauthConfig: OAuthConfig, postLogoutRedirectUri: string): Promise<URL | null>;
+/**
+ * Performs OAuth 2.0 client credentials grant flow for machine-to-machine authentication.
+ *
+ * @param config - Client credentials configuration including token endpoint, client ID, and secret
+ * @returns Token response from the OAuth provider
+ * @throws Error if the token request fails
+ *
+ * @example
+ * ```typescript
+ * const tokens = await clientCredentialsGrant({
+ *   tokenEndpoint: 'https://api.example.com/oauth2/token',
+ *   clientId: 'my-client-id',
+ *   clientSecret: 'my-client-secret',
+ *   scope: 'api:read api:write',
+ * });
+ * ```
+ */
+export declare function clientCredentialsGrant(config: ClientCredentialsConfig): Promise<openid.TokenEndpointResponse>;
+//# sourceMappingURL=oauth.d.ts.map

package/dist/oauth.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"oauth.d.ts","sourceRoot":"","sources":["../src/oauth.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAGxC,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAKvC,YAAY,EAAE,aAAa,EAAE,qBAAqB,EAAE,MAAM,eAAe,CAAC;AAE1E,uFAAuF;AACvF,eAAO,MAAM,YAAY,wCAAwC,CAAC;AAElE,wDAAwD;AACxD,MAAM,MAAM,WAAW,GAAG;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,KAAK,EAAE,MAAM,CAAC;CACf,CAAC;AAEF;;;;;;GAMG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,WAAW,EACxB,YAAY,EAAE,MAAM,GACnB,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CA6CvC;AAED,8DAA8D;AAC9D,MAAM,WAAW,WAAW;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,cAAc,EAAE,MAAM,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CACpC;AAED;;;;;;;;;GASG;AACH,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,WAAW,GAAG,OAAO,CAAC,WAAW,CAAC,CAmBhF;AAED;;;;;;GAMG;AACH,wBAAsB,qBAAqB,CACzC,MAAM,EAAE,MAAM,CAAC,aAAa,EAC5B,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,GAAG,CAAC,CASd;AAED;;;;;;;GAOG;AACH,wBAAsB,gCAAgC,CACpD,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,WAAW,GACvB,OAAO,CAAC,GAAG,CAAC,CAgBd;AAED;;GAEG;AACH,MAAM,MAAM,uBAAuB,GAAG;IACpC,+BAA+B;IAC/B,aAAa,EAAE,MAAM,CAAC;IACtB,sBAAsB;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AAEF;;;;;;;;GAQG;AACH,wBAAsB,yBAAyB,CAC7C,WAAW,EAAE,WAAW,EACxB,WAAW,EAAE,GAAG,EAChB,YAAY,EAAE,MAAM,EACpB,aAAa,EAAE,MAAM,GACpB,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAiCvC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED;;;;;;;GAOG;AACH,wBAAgB,qBAAqB,CACnC,MAAM,EAAE,MAAM,CAAC,qBAAqB,EACpC,UAAU,GAAE,MAAgB,GAC3B,YAAY,CAoBd;AAED;;;;;;;GAOG;AACH,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,CAAC,qBAAqB,EACpC,UAAU,GAAE,MAAgB,GAC3B,OAAO,CAqBT;AAED;;;;;;;;;GASG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,EACnC,iBAAiB,EAAE,MAAM,EACzB,WAAW,GAAE,MAAY,EACzB,QAAQ,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,GACvC,GAAG,CA+BL;AAED;;;;;;;GAOG;AACH,wBAAsB,kBAAkB,CACtC,WAAW,EAAE,WAAW,EACxB,qBAAqB,EAAE,MAAM,GAC5B,OAAO,CAAC,GAAG,GAAG,IAAI,CAAC,CAyBrB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAsB,sBAAsB,CAC1C,MAAM,EAAE,uBAAuB,GAC9B,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC,CAgCvC"}

package/dist/oauth.js

@@ -0,0 +1,165 @@
+import { createLogger as e } from "./logger.js";
+import { t } from "./decode_jwt-1J26fl4I.js";
+import { a as n, c as r, i, n as a, o, r as s, s as c, t as l } from "./build-CNL3v39v.js";
+//#region src/oauth.ts
+var u = e({ namespace: "fides-auth:oauth" }), d = "openid profile email offline_access";
+async function f(e, t) {
+	u.debug({ issuer: e.issuer }, "Starting token refresh");
+	try {
+		let i = await r(await n(new URL(e.issuer), e.clientId, e.clientSecret, l(e.clientSecret)), t, { scope: e.scope });
+		return u.info({
+			hasAccessToken: !!i.access_token,
+			hasRefreshToken: !!i.refresh_token,
+			expiresIn: i.expires_in
+		}, "Token refresh successful"), i;
+	} catch (t) {
+		let n = t;
+		throw n?.code === "OAUTH_RESPONSE_BODY_ERROR" && n?.error === "invalid_grant" ? u.info({
+			error: n.error,
+			error_description: n.error_description,
+			issuer: e.issuer
+		}, "Token refresh failed - refresh token expired or invalid") : u.error({
+			error: t,
+			issuer: e.issuer
+		}, "Token refresh failed"), t;
+	}
+}
+async function p(e) {
+	let t = o(), n = await i(t), r = c(), a = {
+		redirect_uri: e.redirect_uri,
+		scope: e.scope ?? "openid profile email offline_access",
+		code_challenge: n,
+		code_challenge_method: "S256",
+		state: r
+	};
+	return u.info({
+		redirectUri: e.redirect_uri,
+		scope: a.scope
+	}, "PKCE parameters generated"), {
+		code_verifier: t,
+		code_challenge: n,
+		state: r,
+		parameters: a
+	};
+}
+async function m(e, t) {
+	try {
+		let n = s(e, t.parameters);
+		return u.info({ authUrl: n.origin }, "Authorization URL built successfully"), n;
+	} catch (e) {
+		throw u.error({ error: e }, "Failed to build authorization URL"), e;
+	}
+}
+async function h(e, t) {
+	u.debug({ issuer: e.issuer }, "Discovering OpenID configuration");
+	try {
+		return m(await n(new URL(e.issuer), e.clientId, e.clientSecret, l(e.clientSecret)), t);
+	} catch (t) {
+		throw u.error({
+			error: t,
+			issuer: e.issuer
+		}, "Failed to discover config or build URL"), t;
+	}
+}
+async function g(e, t, r, i) {
+	u.debug({
+		issuer: e.issuer,
+		clientId: e.clientId
+	}, "Exchanging authorization code for tokens");
+	let o = await a(await n(new URL(e.issuer), e.clientId, e.clientSecret, l(e.clientSecret)), t, {
+		pkceCodeVerifier: r,
+		expectedState: i
+	}, { redirect_uri: e.redirect_uri });
+	return u.info({
+		hasAccessToken: !!o.access_token,
+		hasRefreshToken: !!o.refresh_token,
+		expiresIn: o.expires_in
+	}, "Authorization code exchange successful"), o;
+}
+function _(e, n = "roles") {
+	if (!e.id_token) throw Error("OIDC token response is missing id_token");
+	let r = t(e.id_token), i = r[n], a = typeof i == "string" ? [i] : [], o = Array.isArray(i) ? i : a;
+	return u.debug({
+		sub: r.sub,
+		rolesClaim: n,
+		rolesCount: o.length
+	}, "Extracted user from ID token"), {
+		sub: r.sub ?? "",
+		name: r.name,
+		email: r.email,
+		roles: o
+	};
+}
+function v(e, t = "roles") {
+	if (!e.access_token) throw Error("OIDC token response is missing access_token");
+	let n = _(e, t);
+	return {
+		tokens: {
+			accessToken: e.access_token,
+			accessTokenExpiresAt: e.expires_in ? new Date(Date.now() + e.expires_in * 1e3) : void 0,
+			refreshToken: e.refresh_token
+		},
+		user: {
+			name: n.name,
+			email: n.email,
+			roles: n.roles
+		}
+	};
+}
+function y(e, t, n = "/", r) {
+	let i = e ?? n, a;
+	try {
+		a = new URL(i, t);
+	} catch {
+		return u.warn({ returnTo: i }, "Invalid returnTo URL, using default"), new URL(n, t);
+	}
+	let o = new URL(t);
+	return a.origin === o.origin ? r && !r(a.pathname) ? (u.warn({ pathname: a.pathname }, "returnTo failed custom validation, falling back to default"), new URL(n, t)) : a : (u.error({
+		returnTo: i,
+		redirectOrigin: a.origin,
+		applicationOrigin: o.origin
+	}, "Possible open redirect attack: returnTo points outside application origin"), new URL(n, t));
+}
+async function b(e, t) {
+	try {
+		let r = (await n(new URL(e.issuer), e.clientId, e.clientSecret, l(e.clientSecret))).serverMetadata().end_session_endpoint;
+		if (!r) return u.info({ issuer: e.issuer }, "No end_session_endpoint found"), null;
+		let i = new URL(r);
+		return i.searchParams.set("client_id", e.clientId), i.searchParams.set("post_logout_redirect_uri", t), u.debug({ logoutUrl: i.toString() }, "Built OIDC logout URL"), i;
+	} catch (t) {
+		return u.warn({
+			error: t,
+			issuer: e.issuer
+		}, "OIDC discovery failed for logout"), null;
+	}
+}
+async function x(e) {
+	try {
+		let t = new URLSearchParams({
+			grant_type: "client_credentials",
+			client_id: e.clientId,
+			client_secret: e.clientSecret
+		});
+		e.scope && t.set("scope", e.scope);
+		let n = await fetch(e.tokenEndpoint, {
+			method: "POST",
+			headers: { "Content-Type": "application/x-www-form-urlencoded" },
+			body: t
+		});
+		if (!n.ok) {
+			let e = await n.text();
+			throw u.error({
+				status: n.status,
+				error: e
+			}, "Client credentials grant failed"), Error(`Client credentials grant failed: ${n.status} - ${e}`);
+		}
+		return await n.json();
+	} catch (t) {
+		throw u.error({
+			error: t,
+			tokenEndpoint: e.tokenEndpoint
+		}, "Client credentials grant error"), t;
+	}
+}
+//#endregion
+export { m as buildAuthorizationUrl, b as buildOidcLogoutUrl, p as buildPKCEOptions, v as buildSessionFromTokens, x as clientCredentialsGrant, d as defaultScope, h as discoverAndBuildAuthorizationUrl, g as exchangeAuthorizationCode, _ as extractUserFromTokens, f as refreshAccessToken, y as validateReturnUrl };

package/dist/providers/vipps/client.d.ts

@@ -0,0 +1,62 @@
+import { PKCEOptions } from '../../oauth';
+import { VippsLoginConfig, VippsUserInfo } from './types';
+/**
+ * Vipps Login Client
+ *
+ * Client for Vipps Login (OIDC) authentication flow.
+ * Implements OAuth/OIDC operations with PKCE for Vipps.
+ */
+import * as openid from 'openid-client';
+/**
+ * Vipps Login Client
+ *
+ * Handles Vipps Login (OIDC) authentication flow using PKCE.
+ */
+export declare class VippsLoginClient {
+    private readonly config;
+    private readonly oauthConfig;
+    private configPromise;
+    constructor(config: VippsLoginConfig);
+    /**
+     * Get OpenID Configuration (cached)
+     * This ensures we use the same Configuration instance across all operations
+     */
+    private getConfig;
+    /**
+     * Build PKCE options for authorization flow
+     *
+     * @returns PKCE options including code_verifier, code_challenge, and state
+     */
+    buildPKCEOptions(): Promise<PKCEOptions>;
+    /**
+     * Build authorization URL for Vipps Login
+     *
+     * @param pkceOptions - PKCE options from buildPKCEOptions()
+     * @returns Authorization URL to redirect user to
+     */
+    buildAuthorizationUrl(pkceOptions: PKCEOptions): Promise<URL>;
+    /**
+     * Exchange authorization code for tokens
+     *
+     * @param callbackUrl - The full callback URL with code parameter from Vipps
+     * @param codeVerifier - PKCE code verifier from initial request
+     * @param expectedState - Expected state value for validation (optional)
+     * @returns Token response with access_token, id_token, and refresh_token
+     */
+    exchangeCodeForTokens(callbackUrl: string | URL, codeVerifier: string, expectedState?: string): Promise<openid.TokenEndpointResponse>;
+    /**
+     * Get user information from Vipps userinfo endpoint
+     *
+     * @param accessToken - Access token from token exchange
+     * @returns Vipps user information
+     */
+    getUserInfo(accessToken: string): Promise<VippsUserInfo>;
+    /**
+     * Refresh access token using refresh token
+     *
+     * @param refreshToken - Refresh token from initial token exchange
+     * @returns New token response
+     */
+    refreshTokens(refreshToken: string): Promise<openid.TokenEndpointResponse>;
+}
+//# sourceMappingURL=client.d.ts.map

package/dist/providers/vipps/client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client.d.ts","sourceRoot":"","sources":["../../../src/providers/vipps/client.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,MAAM,MAAM,eAAe,CAAC;AAGxC,OAAO,EAIL,KAAK,WAAW,EACjB,MAAM,aAAa,CAAC;AACrB,OAAO,EAEL,KAAK,gBAAgB,EACrB,KAAK,aAAa,EACnB,MAAM,SAAS,CAAC;AAOjB;;;;GAIG;AACH,qBAAa,gBAAgB;IAC3B,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;IAC1C,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAc;IAC1C,OAAO,CAAC,aAAa,CAA8C;gBAEvD,MAAM,EAAE,gBAAgB;IAwBpC;;;OAGG;YACW,SAAS;IAYvB;;;;OAIG;IACG,gBAAgB,IAAI,OAAO,CAAC,WAAW,CAAC;IAK9C;;;;;OAKG;IACG,qBAAqB,CAAC,WAAW,EAAE,WAAW,GAAG,OAAO,CAAC,GAAG,CAAC;IAMnE;;;;;;;OAOG;IACG,qBAAqB,CACzB,WAAW,EAAE,MAAM,GAAG,GAAG,EACzB,YAAY,EAAE,MAAM,EACpB,aAAa,CAAC,EAAE,MAAM,GACrB,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC;IAgCxC;;;;;OAKG;IACG,WAAW,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC;IAsD9D;;;;;OAKG;IACG,aAAa,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,qBAAqB,CAAC;CAsBjF"}

package/dist/providers/vipps/index.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Vipps Login Provider
+ *
+ * OAuth/OIDC provider implementation for Vipps Login.
+ * Can be used directly or integrated with framework-specific auth systems.
+ *
+ * @see https://developer.vippsmobilepay.com/docs/APIs/login-api/
+ */
+export * from './types';
+export * from './client';
+//# sourceMappingURL=index.d.ts.map

package/dist/providers/vipps/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/providers/vipps/index.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,cAAc,SAAS,CAAC;AACxB,cAAc,UAAU,CAAC"}